This is a demo of a specific experience.

Keycloak Operational Guide

Overview

This guide covers basic operational tasks for managing a Keycloak instance.

Starting and Stopping Keycloak

Start Keycloak

# Standalone mode
./bin/kc.sh start

# Development mode
./bin/kc.sh start-dev

Stop Keycloak

# Graceful shutdown
./bin/kc.sh stop

Initial Setup

1. Create Admin User

On first startup, navigate to http://localhost:8080 and create an initial admin user.

2. Access Admin Console

• URL: http://localhost:8080/admin
• Login with admin credentials

Basic Operations

Realm Management

Create a Realm

1. Click Add Realm dropdown
2. Enter realm name
3. Click Create

Export/Import Realm

# Export
./bin/kc.sh export --dir <export-dir> --realm <realm-name>

# Import
./bin/kc.sh import --dir <import-dir>

User Management

Create a User

1. Select realm
2. Navigate to Users → Add User
3. Fill in user details
4. Click Save
5. Go to Credentials tab to set password

Reset User Password

1. Navigate to Users
2. Select user
3. Go to Credentials tab
4. Click Reset Password

Client Management

Register a Client

1. Navigate to Clients → Create
2. Enter Client ID
3. Select Client Protocol (openid-connect or saml)
4. Click Save
5. Configure client settings and valid redirect URIs

Monitoring

Check Server Health

curl http://localhost:8080/health

View Logs

tail -f data/log/keycloak.log

Monitor Sessions

1. Navigate to Realm Settings → Sessions
2. View active sessions and statistics

Backup and Recovery

Backup Database

# For H2 (development)
cp -r data/h2 backup/

# For PostgreSQL
pg_dump keycloak > keycloak_backup.sql

Backup Configuration

cp -r conf/ backup/conf-$(date +%Y%m%d)

Common Maintenance Tasks

Clear Cache

# Restart server or use admin console
# Navigate to Realm Settings → Cache → Clear

Update Configuration

# Edit conf/keycloak.conf
# Restart Keycloak for changes to take effect

Token Settings

1. Navigate to Realm Settings → Tokens
2. Adjust timeout values as needed:
   • SSO Session Idle
   • SSO Session Max
   • Access Token Lifespan

Troubleshooting

Check Version

./bin/kc.sh --version

Enable Debug Logging

Edit conf/keycloak.conf:

log-level=DEBUG

Common Issues

• Port conflicts: Change HTTP port in configuration
• Database connection: Verify database credentials and connectivity
• Memory issues: Adjust JVM heap size in startup scripts

Security Best Practices

1. Change default admin credentials immediately
2. Use HTTPS in production
3. Configure firewall rules
4. Regular security updates
5. Enable audit logging
6. Use strong password policies
7. Implement rate limiting for login attempts

Production Considerations

• Use external database (PostgreSQL, MySQL)
• Enable clustering for high availability
• Configure reverse proxy (nginx, Apache)
• Set up SSL/TLS certificates
• Implement regular backup strategy
• Monitor resource usage
• Configure email server for notifications